Introduction

The past few years have produced innovative health-oriented networking
and wireless communication technologies, ranging from
low-power medical radios that harvest body energy to wireless
sensor networks for in-home monitoring and diagnosis. Today,
such wireless systems have become an intrinsic part of many
modern medical devices. In particular, implantable medical
devices (IMDs), including pacemakers, cardiac defibrillators, insulin
pumps, and neurostimulators all feature wireless communication
Adding wireless connectivity to IMDs has enabled remote
monitoring of patients’ vital signs and improved care providers’
ability to deliver timely treatment, leading to a better health care
system.

Recent work at the computer science department in UMASS,
has shown that such wireless connectivity
can be exploited to compromise the confidentiality of the IMD’s
transmitted data or to send the IMD unauthorized commands—
even commands that cause the IMD to deliver an electric shock to
the patient. In other systems, designers use cryptographic
methods to provide confidentiality and prevent unauthorized access.
However, adding cryptography directly to IMDs themselves
is difficult for the following reasons:

• Inalterability: In the U.S. alone, there are millions of people who
already have wireless IMDs, and about 300,000 such IMDs are
implanted every year. Once implanted, an IMD can last up to
10 years, and replacing it requires surgery that carries risks
of major complications. Incorporating cryptographic mechanims
into existing IMDs may be infeasible because of limited device
memory and hence can only be achieved by replacing the IMDs.
This is not an option for people who have IMDs or may acquire
them in the near future.

• Safety: It is crucial to ensure that health care professionals always
have immediate access to an implanted device. However, if
cryptographic methods are embedded in the IMD itself, the device
may deny a health care provider access unless she has the
right credentials. Yet, credentials might not be available in scenarios
where the patient is at a different hospital, the patient is
unconscious, or the cryptographic key storage is damaged or unreachable.
Inability to temporarily adjust or disable an
IMD could prove fatal in emergency situations.

• Maintainability: Software bugs are particularly problematic for
IMDs because they can lead to device recalls. In the last eight
years, about 1.5 million software-based medical devices were recalled.
Between 1999 and 2005, the number of recalls of
software-based medical devices more than doubled; more than
11% of all medical-device recalls during this time period were
attributed to software failures. Such recalls are costly and
could require surgery if the model is already implanted. Thus, it
is desirable to limit IMDs’ software to only medically necessary
functions.

This project explores the feasibility of protecting IMDs without
modifying them by implementing security mechanisms entirely on
an external device. Such an approach enhances the security of IMDs
for patients who already have them, empowers medical personnel
to access a protected IMD by removing the external device or powering
it off, and does not in itself increase the risk of IMD recalls.